By Gagandeep Singh
18-Feb-2023
A new malware was discovered named, ProxyShellMiner.
The attack was spotted by a security firm; threat actors were abusing the ProxyShell vulnerability.
Attackers deploy a NET malware payload into the NETLOGON folder of the domain controller.
To activate malware, the malware requires a command line parameter which works as a password for the XMRig miner component.
The DLL file is used for decrypting additional files, and there's also a second downloader as well.
The downloader establishes a connection with the compromised computer by creating a scheduled task.
The malware checks the browsers of the infected computer and then launches an attack.
The malware tries to evade the detection of the security programmes by monitoring its activity.